4.0.60
CVE-2015-7519 describes a header spoofing vulnerability discovered in Phusion Passenger. This flaw allows attackers to manipulate HTTP headers sent to applications, potentially leading to unexpected behavior or misconfigurations. The vulnerability impacts versions of Passenger less than or equal to 4.0.8 and versions 5.0.x prior to 5.0.22. A fix is available in version 4.0.60.
An attacker can exploit this vulnerability by crafting malicious HTTP requests that substitute underscores (_) for dashes (-) in HTTP header names. Passenger, when operating in Apache integration mode or standalone mode without a filtering proxy, does not properly validate these headers. This allows an attacker to inject arbitrary headers, potentially influencing application logic or bypassing security controls. While the CVSS score is LOW, successful exploitation could lead to application-specific vulnerabilities, such as manipulating authentication or authorization mechanisms, or injecting malicious content. The blast radius is limited to the affected application and its environment.
CVE-2015-7519 was published on October 10, 2018. There is no indication of active exploitation campaigns targeting this vulnerability. It is not listed on KEV or EPSS. The LOW CVSS score suggests a low probability of exploitation in the wild, but the potential for application-specific impact warrants remediation.
エクスプロイト状況
EPSS
0.36% (58% パーセンタイル)
CVSS ベクトル
The primary mitigation for CVE-2015-7519 is to upgrade to Phusion Passenger version 4.0.60 or later. If upgrading is not immediately feasible, consider deploying a filtering proxy (e.g., Nginx, Apache with mod_security) that validates and sanitizes incoming HTTP headers, rejecting those with invalid characters. Additionally, review application code to ensure it does not rely on specific header names and is resilient to unexpected header values. After upgrading, confirm the fix by sending a crafted HTTP request with an underscore in a header name and verifying that Passenger rejects it.
公式パッチはありません。回避策を確認するか、アップデートを監視してください。
脆弱性分析と重要アラートをメールでお届けします。
CVE-2015-7519 is a vulnerability in Phusion Passenger allowing attackers to spoof HTTP headers by using underscores instead of dashes, potentially impacting application behavior. It affects versions ≤4.0.8 and 5.0.x before 5.0.22.
You are affected if you are using Phusion Passenger versions less than or equal to 4.0.8 or versions 5.0.x prior to 5.0.22, and are running in Apache integration mode or standalone mode without a filtering proxy.
Upgrade to Phusion Passenger version 4.0.60 or later. As a temporary workaround, deploy a filtering proxy to validate incoming HTTP headers.
There is no public evidence of active exploitation campaigns targeting CVE-2015-7519 at this time.
Refer to the Phusion Passenger security advisory: https://www.phusionpassenger.com/security/CVE-2015-7519
Gemfile.lock ファイルをアップロードすると、影響の有無を即座にお知らせします。